Post on 15-Jul-2020
Security Across the yOrganization
Paul JonesCIO – Clerk & Comptroller Palm Beach County
CISSP ITIL Expert Security+ Project+CISSP, ITIL Expert, Security+, Project+
1
Objectives:
• Organization wide security
IT’s role• IT’s role
• Security awareness
• Risks and liabilities
• The three tiers
• Leadership support
• The life cycle
The Paradigm Shift
Drives
Strategic TechnologyStrategic Alignment Organization Technology
Security
Enables
Tewksbury police pay hacker $500
Philadelphia IRS OPM
Breaches, breaches everywhere
pay hacker $500 ransom to decrypt
files
City Council website hacked after election
OPM B h #1
IRS610,000
Slack500 000
OPM Breach #221,500,000
Adult F i d
Cities probe
Breach #14,000,000
Ashley
Uber50,000
500,000Friend Finder
3,900,000 MSpy400,000
British Cities probe worker email
addresses linked to Ashley Madison
siteJapan
AirlinesPremera
Madison37,000,000
A t li
Airways“Tens of
Thousands”
Columbia city
baltimorecity.govoffline 16 hrs
Airlines750,000
Premera11,000,000
Carefirst1,100,000
Community
Australian Immigration“Unknown”
website offline 13 hours
Community Health Service
4,500,000
DCF200,000
The Security Chess GameMALWARE & VIRUSES
PHISHING
SOCIAL ENGINEERING
PHISHING
RANSOMWARE
PATCHES
PHYSICAL SECURITY
image source: mangosalaute com
THE ODDS ARE WORKING DENIAL of SERVICE
INSIDER THREATS
image source: mangosalaute.com
5
AGAINST YOU!MISUSE
“A new study reveals that more than 8 out of 10 (88%) companies surveyed admit
Misconception – “Security is an IT thing”their organization experienced a significant security event in the last twelve months with as many a 73% of the companies indicating that the cause was insiders” (The Norris Corporation, 2015)
““While shadowy hackers in Eastern Europe often get the blame for these attacks, more than80% of the breaches that Bruemmer's group works with had a root cause in employeenegligence” (Michael Bruemmer, Experian's data breach resolution group, 2015)
Internal disclosures• Disgruntled employee • Social engineering scams• Phishing scams • Human errors • Privilege escalation
www.mypalmbeachclerk.com
Privilege escalation
The Balancing Act
• Ease of UseM i t
• Compliance• Stability• Maintenance
• Speed to Delivery • Cost Cutting• Simplicity
• Stability • Quality • Availability • Functionality• Simplicity
• Reactive • Get-R-Done• Invisible Success
Functionality• Proactive • Customer Service• Visible Issues Invisible Success
Risk Mitigation
Legal Risks
Financial RisksRegulatory Risk
Political Risks Compliance Risks
Resource Risks Credibility Risks
Reducing Liability“If an organization does not practice due care and due diligence g p gpertaining to the security of its assets, it can be legally charged with negligence and held accountable for any ramifications of that negligence” (Harris, 2010, p. 110)
Due Diligence is the act of continuallyDue Diligence is the act of continually investigating and understanding the risks and vulnerabilities the organization faces. Reducing
Liability
Due Care is implementing security policies, procedures, standards and countermeasures to provide protection from those threats.p p
The Three Tiers Above and Beyond the Technical
THE TECHNICAL LAYER - deals with putting in place the technical infrastructure designed to recognize and preventtechnical infrastructure designed to recognize and prevent breaches from occurring.
TECHNICAL
THE ADMINISTRATIVE LAYER deals with having in place
ADMINISTRATIVE
THE ADMINISTRATIVE LAYER - deals with having in place security policies, procedures, and processes designed to lay a foundation for managing and administering security across the organization.
THE GOVERNANCE LAYER - deals with the ongoing verification and validation of all security system implementations, including
10
GOVERNANCE both the technical and administrative functions
Leadership Support Senior leader buy in (make security important)• Senior leader buy-in (make security important)
• Communicate and educate at all levels
• Create a culture of security awarenessCreate a culture of security awareness
• Establish strong governance (what you permit you promote)
• Incorporate all three tiers (technical, Admin, Compliance) p ( , , p )
• Trust but verify (external audits)
• Be prepared for the worst (incident response plan)
• Define responsibility and accountability at all levels
• Demand continual improvement
• Reward and recognize
11
Setting DirectionSecurity strategy
Security Life Cycle
SecurityStrategy
Building in ResilienceBusiness continuityManagement, disasterRecovery, crisismanagement
development, organization design, management reporting
SecurityGovernance
& Control
Business Continuity
Management
management Creating a Sound Framework of ControlRisk, policy and privacy review, regulatory compliance assessment, data loss preventionM i I id t
Incident Response &
Forensic Investigation Architecture,
Threat & Vulnerability Management
data loss prevention, awareness programsManaging Incidents
Incident response review, corporate and regulatoryInvestigations and readinesscrisis response
Network Security &
IdentityBuilding Secure Systems & InfrastructureS it hit t t k it
Managing ExposurePenetration testing, vulnerability scanning and remediation, continuous
12
Security architecture, network security, cloud computing security, identify and access management solutions, ERP security
and global threat monitoring
ResourcesMulti-State Information Sharing & Analysis CenterMulti-State Information Sharing & Analysis Centerhttp://msisac.cisecurity.org/
Cyber Security Guideshttp://msisac.cisecurity.org/resources/guides/
SANS Information Security Policy Templateshttp://www.sans.org/security-resources/policies/?ref=3731http://www.sans.org/security resources/policies/?ref 3731
NIST Cybersecurity Frameworkhttp://www.nist.gov/cyberframework/
SANS 20 Critical Security Controlshttps://www.sans.org/critical-security-controls/controls
United States Computer Emergency Readiness Teamhttps://www.us-cert.gov/
QUESTIONS?
14